New Module Microsoft Exchange Hosted

We have started a new module, for managing Microsoft Exchange / Active Directory using ISPConfig. The goal of this module is to provide customer control into their Tenancy organization. There is a lot of works, but we are on the good way, and we have do a lot of stuff.
This module is on 2 parts, one on Windows (using a Windows service to communicate with the AD / Exchange and the database), and the second is on ISPConfig, for displaying, managing Active Directory Objects.

As this module use a copy of the LDAP database under mysql (done by the windows service) we need to implement complicate SQL query.

However, we didin't find documentation for ISPConfig for doing that.
We just see that every Mysql Table must have some columns, like sys_userid, sys_groupid etc..
How can we do that ? We need to implement "where" to the query, but on the module, we have to select all the table, and the {AUTHSQL} never help .

The list object is defined in lib/classes/listform_actions.inc.php, its a good place to get a overview of the existing functions. Basically you can override nearly every aspect of the list generation and query building in ispconfig.

No, not yet. It is planned but we simply did not had the time to write it.

Basically forms are inherited from tform_actions class and lists from listform_actions class. You can override subfunctions of the form calss similar to the list class, so you can read even data from other sources then mysql. See e.g. the admin/server_config_edit.php file which reads the data that is displayed in the form from a ini style text blob field in mysql (it could have been a file as well or also ldap if you use ldap functions to get data in form of a array / hash in php.

We are on the good way with the module, but we have some problem.
For example, users have multiple properties to be set / or change.
But on our module, you are not allowed to change mail address and reset the password, or unlock account etc..
For the moment, we manage users using a tform with multiple TAB. When we switch from one TAB to another TAB, it's automatically save into the database. This is not what we except.. Is there a possible override to block that ?
We do not wan't to build each form for each function, and if we have another way..
Thanks for your help !

For the moment, we manage users using a tform with multiple TAB. When we switch from one TAB to another TAB, it's automatically save into the database. This is not what we except.. Is there a possible override to block that ?

under ApsBase, but nothing that could help us.
We would like to use it for display the value, not set it (in the DB we prefer have the byte value..)
Maybe with a filter in the tform ?
If someone have an idea..

Not reallay - it´s implemented in cron_daily.php but not as an api-function (btw: thanks for writing the patch).

I only posted my code as it allows to define the precision.

Click to expand...

Ok, thanks for your reply. It's real simple patch, and it's working for me because only used for "SHOW" events not "SAVE".
So the patch is not complete (I think..)
When I will have time, will try to see the other event..

Eventhough this was just sample code, would you mind validating and escaping all external input, e.g. here to validate $_REQUEST['id'] for beein just numbers or characters what ever will be the right syntax, and if the valid charset could lead to sql injection or similar, you should escape it additionally.
Btw this should happen for all data that you can not control, in this case also for data you gather from and to the exchange side.

Eventhough this was just sample code, would you mind validating and escaping all external input, e.g. here to validate $_REQUEST['id'] for beein just numbers or characters what ever will be the right syntax, and if the valid charset could lead to sql injection or similar, you should escape it additionally.
Btw this should happen for all data that you can not control, in this case also for data you gather from and to the exchange side.

Click to expand...

Yes, we knows that. In all forms, we put validators, and when we extract data from Exchange (ActiveDirectory) we also validate the format.

We try our best, but we will also need other "eyes" to be sure that all is conform for ISPConfig and the security.

Yes, we knows that. In all forms, we put validators, and when we extract data from Exchange (ActiveDirectory) we also validate the format.

We try our best, but we will also need other "eyes" to be sure that all is conform for ISPConfig and the security.

Click to expand...

Good to read. If there is code ready, just provide a link where to look at it.

@Falko / Till: There isn't a kind of security best practices in context of ISPConfig3 module development, so that not every interested developer needs to read all the OWASP stuff totally as probably some of those issues are solve by helper functions. So the dev' "just" needs to unterstand the issue and why to use such helpers.

In fact, we just need to knows if there is a simple function to track which data was modified, after they are validate.

Click to expand...

The data si saved in the onUpdateSave function of the tform_actions class. You can either completely override that function in case you want to store data in another source like a file, ldap or similar instaed of mysql or you override it and call the parent function after you executed your custom code.

if you want to get the changes of a record, use the diffrec function of the mysql library. This function is used by ispconfig to detect which differences have to be saved into the sys_datalog for processing on the server.